Google Home devices can leak your location, but a fix is coming

GOOGLE HAS JUMPED into action and promised to fix a bug in the Google Home smart speaker that risks giving away users’ location.

Tripwire cybersecurity researcher Chris Young found that while high-level machine learning tasks carried out by Google Home devices connect to Google’s cloud, lesser tasks like setting up a new device only require a local connection between it an accompanying mobile app.

Such a connection requires no authentication so can be exploited by hackers using a domain name service rebinding technique which could be used to present Google Home users with a malicious link. Said technique could then be used to extract data and more worryingly figure out locations, despite the hacker not needing to be connected to the same WiFi network as the Google Home.

“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same WiFi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity.

“The only real limitation is that the link needs to remain open for about a minute before the attacker has a location. The attack content could be contained within malicious advertisements or even a tweet.”

The location-locating side of things comes courtesy of how the Google Home triangulates its position by essentially building up a map of all the nearby wireless networks. Hackers exploiting the bug in devices could extract a list of nearby wireless devices for the compromised smart speaker then plonk that data into Google’s own geolocation services, thereby getting a pretty good idea of where the compromised device is.

What hackers could then go and do with that data is anyone’s guess; perhaps they could use it as part of an educated guess to determine how tech-filled the user’s home is and if it’s worth burgling. If nothing else, the bug is a breach in people’s privacy.

Young noted there’s a bit of potential for the bug to have some nasty ramifications: “The implications of this are quite broad, including the possibility of more effective blackmail or extortion campaigns.

“Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

He also noted that while the Google Home is the culprit of this privacy sapping problem, there are plenty of other smart and embedded devices he’s spotted that can supply location and WiFi data.

All this point towards the lack of security in smart devices as everyone rushes to get them to the market. And it has us think that perhaps we should just yank all our smart home tech out and rely on good old-fashioned type-questions-into-Google rather than bark commands at smart devices.

Young warned that until all data requests made by smart devices have some form of proper authentication, it’s best to either avoid them or take action like using network segregation and DNS rebind protection.

“Consumers should separate their devices as best as is possible and be mindful of what websites or apps are loaded while on the same network as their connected gadgets,” he added.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,123 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.